Functions/Connect-JGraph.ps1
|
function Connect-JGraph { [CmdletBinding()] param( [Parameter()] [ArgumentCompleter( { param ( $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters ) (Get-SecretInfo $wordToComplete*Office365*).Name } )] [string] $Tenant, [Parameter()] [ArgumentCompleter( { param ( $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters ) $Tenants = Get-Content "C:\Temp\AdminPortal\PartnerTenants.json" | ConvertFrom-Json ($Tenants | Where-Object Domain -Like "$($wordToComplete)*").Domain } )] [string] $TenantId, [Parameter()] [switch] $GetInfo ) # if(Get-MgContext) { Disconnect-MgGraph -ea 0 | Out-Null # } if ($Tenant) { $TenantConfig = Get-Secret $Tenant -AsPlainText Connect-MgGraph -TenantId $TenantConfig.TenantId -AppId $TenantConfig.AppId -CertificateThumbprint $TenantConfig.CertificateThumbprint -ForceRefresh -ClientTimeout 2000 } else { # $Scopes = Find-MgGraphPermission -PermissionType Delegated -SearchString ReadWrite | Where-Object Consent -EQ Admin $Scopes = @( "AccessReview.ReadWrite.All" "AccessReview.ReadWrite.Membership" "AdministrativeUnit.ReadWrite.All" "Agreement.ReadWrite.All" "APIConnectors.ReadWrite.All" "AppCatalog.ReadWrite.All" "Application.ReadWrite.All" "AppRoleAssignment.ReadWrite.All" "Approval.ReadWrite.All" "ApprovalRequest.ReadWrite.AdminConsentRequest" "CloudPC.ReadWrite.All" "ConsentRequest.ReadWrite.All" "CustomSecAttributeAssignment.ReadWrite.All" "CustomSecAttributeDefinition.ReadWrite.All" "DelegatedPermissionGrant.ReadWrite.All" "DeviceManagementApps.ReadWrite.All" "DeviceManagementConfiguration.ReadWrite.All" "DeviceManagementManagedDevices.ReadWrite.All" "DeviceManagementRBAC.ReadWrite.All" "DeviceManagementServiceConfig.ReadWrite.All" "DeviceManagementManagedDevices.PrivilegedOperations.All" "Directory.ReadWrite.All" "Domain.ReadWrite.All" "eDiscovery.ReadWrite.All" "EntitlementManagement.ReadWrite.All" "Files.ReadWrite.All" "Group.ReadWrite.All" "GroupMember.ReadWrite.All" "IdentityProvider.ReadWrite.All" "IdentityRiskEvent.ReadWrite.All" "IdentityRiskyUser.ReadWrite.All" "IdentityUserFlow.ReadWrite.All" "OnPremisesPublishingProfiles.ReadWrite.All" "MailboxSettings.ReadWrite" "Organization.ReadWrite.All" "ProgramControl.ReadWrite.All" "RoleAssignmentSchedule.ReadWrite.Directory" "RoleEligibilitySchedule.ReadWrite.Directory" "RoleManagement.ReadWrite.Directory" "RoleManagementPolicy.ReadWrite.Directory" "Schedule.ReadWrite.All" "SecurityActions.ReadWrite.All" "SecurityEvents.ReadWrite.All" "ServicePrincipalEndpoint.ReadWrite.All" "Sites.ReadWrite.All" "Tasks.ReadWrite.Shared" "User.ReadWrite.All" "UserAuthenticationMethod.ReadWrite.All" "WindowsUpdates.ReadWrite.All" "Policy.ReadWrite.ApplicationConfiguration" "Policy.ReadWrite.AuthenticationFlows" "Policy.ReadWrite.AuthenticationMethod" "Policy.ReadWrite.Authorization" "Policy.ReadWrite.ConditionalAccess" "Policy.ReadWrite.ConsentRequest" "Policy.ReadWrite.FeatureRollout" "Policy.ReadWrite.PermissionGrant" "Policy.ReadWrite.TrustFramework" "Policy.Read.All" # "Presence.Read.All" "MailboxSettings.Read", "Calendars.ReadWrite", "Mail.Read" "Tasks.Read" "Tasks.Read.Shared" "ServiceHealth.Read.All" "ServiceMessage.Read.All" ) # $Scopes = Find-MgGraphPermission | Where-Object Consent -EQ admin | Where-Object PermissionType -EQ "Delegated" | Where-Object Name -Like *ReadWrite* | Select-Object -ExpandProperty Name Connect-MgGraph -UseDeviceAuthentication -Scopes $Scopes -Audience 'organizations' } # Select-MgProfile beta if ($GetInfo) { Get-MgOrganization | Format-List Get-MgContext | Format-List } $host.ui.RawUI.WindowTitle = (Get-MgOrganization).DisplayName if (Get-Command Get-MsalToken -ea 0) { if ($TenantConfig) { $Token = Get-MsalToken -ClientId $TenantConfig.AppId -TenantId $TenantConfig.TenantId -ClientCertificate (Get-Item "Cert:\CurrentUser\My\$($TenantConfig.CertificateThumbprint)") -ForceRefresh -ea 0 $global:GraphHeaders = @{Authorization = "Bearer $($Token.AccessToken)" } return $GraphHeaders } } } |